Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
19/05/2024, 22:38
General
-
Target
5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe
-
Size
658KB
-
MD5
5bd91a97aa2e10adc9c00c400b50158f
-
SHA1
16c2d0132914fe69e2d3bee62bd868f256a1db3a
-
SHA256
d358c87cf527ba9f5036d0fa620101d49d526c023187f29a86f3fdb8510263d6
-
SHA512
26c7b202a08e8a18c2a61ee2017b6e696f82649241335863073dd89faa05f31eac187f5d7c540733a6833b7d5ea65ecfbeeb86d9bb1af64a7b9e0a6dbcbbb304
-
SSDEEP
6144:qIO3wz0Co3sLuwhOAJBGiDZdDn6h60rk8/W7Tr7s5A0fgYXkSByW7huU0:XHpZdOU0rk8qhGgYXh70
Malware Config
Extracted
azorult
http://vitani.tk/disk/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"2⤵
- Drops startup file
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD55bd91a97aa2e10adc9c00c400b50158f
SHA116c2d0132914fe69e2d3bee62bd868f256a1db3a
SHA256d358c87cf527ba9f5036d0fa620101d49d526c023187f29a86f3fdb8510263d6
SHA51226c7b202a08e8a18c2a61ee2017b6e696f82649241335863073dd89faa05f31eac187f5d7c540733a6833b7d5ea65ecfbeeb86d9bb1af64a7b9e0a6dbcbbb304
-
Filesize
128KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
680KB
-
Filesize
624KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB